Denial of Service and Distributed Denial of Service Attacks

Similar documents
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Computer Security: Principles and Practice

Configuring attack detection and prevention 1

Chapter 7. Denial of Service Attacks

Configuring attack detection and prevention 1

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Distributed Denial of Service (DDoS)

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Network Security. Chapter 0. Attacks and Attack Detection

Denial of Service (DoS) attacks and countermeasures

Network Security Protocols NET 412D

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

DDoS Testing with XM-2G. Step by Step Guide

Denial of Service (DoS)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Denial of Service. EJ Jung 11/08/10

COMPUTER NETWORK SECURITY

Denial of Service, Traceback and Anonymity

Anatomy and Mechanism of DOS attack

network security s642 computer security adam everspaugh

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

A Software Tool for Network Intrusion Detection

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Attack Prevention Technology White Paper

DDoS PREVENTION TECHNIQUE

DENIAL OF SERVICE ATTACKS

Denial Of Service Attacks

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Basic Concepts in Intrusion Detection

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

CSE 565 Computer Security Fall 2018

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

Computer and Network Security

ELEC5616 COMPUTER & NETWORK SECURITY

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Denial of Service Attacks

NETWORK SECURITY. Ch. 3: Network Attacks

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

HP High-End Firewalls

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

TCP /IP Fundamentals Mr. Cantu

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Networking interview questions

HP High-End Firewalls

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Module 19 : Threats in Network What makes a Network Vulnerable?

CSE 565 Computer Security Fall 2018

CSC 574 Computer and Network Security. TCP/IP Security

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

9. Security. Safeguard Engine. Safeguard Engine Settings

DDoS and Traceback 1

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Detecting Specific Threats

Configuring Flood Protection

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Cloudflare Advanced DDoS Protection

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CIS 551 / TCOM 401 Computer and Network Security

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

DDoS: Coordinated Attacks Analysis

Chapter 10: Denial-of-Services

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

ICS 451: Today's plan

Network Security. Thierry Sans

Configuring IP Services

Hands-On Ethical Hacking and Network Defense

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

CHAPTER-2 IP CONCEPTS

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

IBM i Version 7.3. Security Intrusion detection IBM

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Network Security. Tadayoshi Kohno

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

Computer Security and Privacy

CSE Computer Security (Fall 2006)

20-CS Cyber Defense Overview Fall, Network Basics

Internet Infrastructure

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Unit 2.

What is Distributed Denial of Service (DDoS)?

HP Load Balancing Module

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Transport: How Applications Communicate

A senior design project on network security

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Transcription:

Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial of service (DDoS) attacks present a significant security threat to corporations and the threat appears to be growing. In one study, covering a three-week period in 2001, investigators observed more than 12,000 attacks against more than 5000 distinct targets, ranging from well-known ecommerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. DDoS attacks make computer systems inaccessible by flooding servers, networks, or even end user systems with useless traffic so that legitimate users can no longer gain access to those resources. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets. In recent years, the attack methods and tools have become more sophisticated, effective, and more difficult to trace to the real attackers, while defense technologies have been unable to withstand large-scale attacks. A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that service. When this attack comes from a single host or network node, then it is simply referred to as a DoS attack. A more serious threat is posed by a DDoS attack. In a DDoS attack, an attacker is able to recruit a number of hosts throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target. A DDoS attack attempts to consume the target's resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed. Broadly speaking, the resource consumed is either an internal host resource on the target system or data transmission capacity in the local network to which the target is attacked.

A simple example of an internal resource attack is the SYN flood attack. Figure 1a shows the steps involved: 1. The attacker takes control of multiple hosts over the Internet, instructing them to contact the target Web server. 2. The slave hosts begin sending TCP/IP SYN (synchronize/ initialization) packets, with erroneous return IP address information, to the target. Attacker tries to send a SYN/ACK packet to the spoofed address. If the spoofed system exists, it would normally respond with an RST packet to the victim because it did not initiate the connection. The attackers must choose a system that is unreachable. Therefore, victim will send a SYN/ACK packet and never receive an RST packet back. This potential connection is now in the SYN_RECV state and placed into a connection queue. This system is now committed to setting up a connection, and this potential connection will only be flushed from the queue after the connection-establishment timer expires. The connection timer varies from system to system but could be as short as 75 seconds or as long as 23 minutes for some broken IP implementations. Because the connection queue is normally very small, attackers may only have to send a few SYN packets every 10 seconds to completely disable a specific port. The system under attack will never be able to clear the backlog queue before receiving new SYN requests. 3. Each SYN packet is a request to open a TCP connection. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet, trying to establish a TCP connection with a TCP entity at a spurious IP address. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.

Figure 1 The TCP state data structure is a popular internal resource target but by no means the only one. Gives the following examples: 1. In many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. 2. An intruder may also attempt to consume disk space in other ways, including a. generating excessive numbers of mail messages b. intentionally generating errors that must be logged c. placing files in anonymous ftp areas or network-shared areas

Figure 1b illustrates an example of an attack that consumes data transmission resources. The following steps are involved: 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target's spoofed IP address to a group of hosts that act as reflectors, as described subsequently. The Internet Control Message Protocol (ICMP) is an IP-level protocol for the exchange of control packets between a router and a host or between hosts. The ECHO packet requires the recipient to respond with an echo reply to check that communication is possible between entities. 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target's router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic. Another way to classify DDoS attacks is as either direct or reflector DDoS attacks. In a direct DDoS attack Figure 2a, the attacker is able to implant zombie software on a number of sites distributed throughout the Internet. Often, the DDoS attack involves two levels of zombie machines: master zombies and slave zombies. The hosts of both machines have been infected with malicious code. The attacker coordinates and triggers the master zombies, which in turn coordinate and trigger the slave zombies. The use of two levels of zombies makes it more difficult to trace the attack back to its source and provides for a more resilient network of attackers. A reflector DDoS attack adds another layer of machines Figure 2b In this type of attack, the slave zombies construct packets requiring a response that contain the target's IP address as the source IP address in the packet's IP header. These packets are sent to uninfected machines known as reflectors. The uninfected machines respond with packets directed at the target machine. A reflector DDoS attack can easily involve more machines and more traffic than a direct DDoS attack and hence be more damaging. Further, tracing back the attack or filtering out the attack packets is more difficult because the attack comes from widely dispersed uninfected machines.

Figure 2 Ping of Death More Details. Ping of death (ping -l 65510 192.168.2.3) on a Windows system (where 192.168.2.3 is the IP address of the intended victim). The "Ping o' Death," takes advantage of the ability of the Internet Protocol (the protocol on top of which all other Internet protocols are built) to fragment packets. This works as follows: The specification for the Internet Protocol (IP) says that a packet may be up to 65,535 (2^16-1) bytes in length, including the packet header. But the specifications for most network technologies in use today do not allow packets that big. For example, the maximum Ethernet packet size is 1,500 bytes. To allow large packets to be sent, IP allows the sender to break a large packet up into several smaller packets. Each fragment packet contains an offset value that says where in the larger packet this fragment belongs, the first fragment will have an offset of zero; the second fragment will have an offset equal to the length of the

first fragment, and so on. Note that this makes it possible to combine a valid offset with a suitable fragment size such that (offset + size) is greater than 65,535, the maximum size of a packet. The problem arises in the way packet fragmentation is implemented by most systems. Typically, they do not attempt to process a packet until all the fragments have been received and an attempt has been made to reassemble them into one big packet. This opens these systems to the possibility for overflow of 16-bit internal variables, resulting in system crashes, protocol hangs, and other problems. This problem was first discovered in the context of sending ICMP ECHO REQUEST packets, commonly called "ping" packets after the application program used to send them. Most implementations of "ping" will not allow improperly-sized packets to be sent, although there are several exceptions to this (and many systems can be modified to allow it, in any case). Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping of Death". Now let us summarize DoS Techniques: 1) ICMP floods "Ping of Death" 2) SYN flood. 3) UDP floods Due to the unreliable nature of UDP, it is relatively trivial to send overwhelming streams of UDP packets that can cause noticeable computational load to a system. There is nothing technically extraordinary about UDP flooding beyond the ability to send as many UDP packets as possible in the shortest amount of time. 4) Application layer An attacker finds a resource on a popular Internet site that requires very little computation for the client to request and yet causes a very high computational load on the server to deliver. A good example of this is initiating multiple simultaneous searches across a bulletin board site (for example,

vbulletin, phpbb). Using perhaps as little as a few queries per second, the attacker can now bring the site to its knees. 5) Fragmentation overlap Overlapping TCP/IP packet fragments caused many OSes to suffer crashes and resource starvation issues. Exploit code was released with names such as teardrop, bonk, boink, and nestea. 6) Nukers Windows vulnerability of some years ago that sent out-ofband (OOB) packets (TCP segments with the URG bit set) to a system, causing it to crash. These attacks became very popular on chat and game networks for disabling anyone who crossed you. 7) IP fragmentation When the maximum fragmentation offset is specified by the source (attacker) system, the destination computer or network infrastructure (victim) can be made to perform significant computational work reassembling packets. DDoS Countermeasures In general, there are three lines of defense against DDoS attacks : Attack prevention and preemption (before the attack): These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients. Techniques include enforcing policies for resource consumption and providing backup resources available on demand. In addition, prevention mechanisms modify systems and protocols on the Internet to reduce the possibility of DDoS attacks. Attack detection and filtering (during the attack): These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact of the attack on the target. Detection involves looking for suspicious patterns of behavior. Response involves filtering out packets likely to be part of the attack. Attack source traceback and identification (during and after the attack): This is an attempt to identify the source of the attack as a first step in preventing future attacks. However, this method

typically does not yield results fast enough, if at all, to mitigate an ongoing attack. DDoS Countermeasures Techniques: This portion is left for you, Refer to books Read More documents in lab web page. In Your lab Report it is strongly recommends attaching DDoS countermeasures techniques and commenting for this lab. References: 1. Cryptography and Network Security Principles and Practices, Fourth Edition By William Stallings. 2. Hacking Expose Network Security Secrets and Solutions; 6 th edition; by Stuart Mcclure, Joel Scambray, George Kurtz. 3. http://www.securityfocus.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback